[arin-ppml] Comments on Draft Policy 2010-3
Joe St Sauver
joe at oregon.uoregon.edu
Thu Mar 18 14:24:53 EDT 2010
Chris Engel <cengel at sponsordirect.com> commented:
#It has been pointed out to me previously that such use would be a
#violation of WHOIS acceptable use policy....but I have yet to hear or
#see a single actual example of enforcement of that policy upon a
#violator...can anyone point me toward one? Nor do I see how, under
#current usage (anonymous lookup for anyone) such a policy COULD
#practicaly be enforced.
Zone files obviously have far different contents than whois servers,
but the topic of access policy enforcement came up during recent
ICANN Zone File Access Advisory Group discussions (e.g., see my post
at http://mm.icann.org/pipermail/zfa-ag/2010-January/000069.html )
Since authentication and access control requirements drive a major part
of the complexity underlying zone file data access provisioning,
-- IF authentication and access control *isn't* serving any demonstrably
useful purpose (e.g., usage isn't somehow being closely monitored, and
users with "unacceptable" usage aren't having their access revoked),
-- THEN copies of zone files could potentially simply be rolled out onto
an FTP server or web server (like any other data file) rather than
requiring users to first "jump through the hoops" of applying for
access, being granted access, and then using personalized credentials
to actually retrieve copies of the zone files.
I think it is unlikely that this would actually ever happen, but this
issue of unenforced policies driving potentially unscalable complexity
is a real one that the community should be paying attention to.
With respect to anonymous access to whois servers, I believe the only
policy enforcement mechanisms I've seen discussed or deployed for
traditional whois server access has been query rate limiting (or
out-and-out access blocking) on an IP-by-IP basis, a strategy of
limited eficacy in an era where addresses are assigned by DHCP with
short lease times (and the use of proxy anonymization services is
The situation for web based whois is somewhat more flexible, and
deployment of cookies and/or captchas to (somewhat) limit automated
access are the primary additional (albeit imperfect) "protections"
used in an effort to track and improve the security of that access
#For other purposes...it's not like you wouldn't be able to find out
#which address block a particular IP address belonged to for the purposes
#of filtering the block....
When it comes to managing abuse, the issue is not mapping an indvidual IP
to its encompassing network block -- I agree that this would continue to
be possible under draft policy 2010-3.
Unfortunately the abuse management issue is actually a three step process:
-- mapping an individual IP to the ultimately responsible *entity*
(the end user/customer), AND
-- identifying the full set of *additional* network resources that
abusive entity may *also* control ("generalizing reputation"), AND
-- applying appropriate sanctions (whether technical in nature, such
as blocklisting applicable network ranges, or administrative in
nature (civil suits or criminal enforcement, etc.)).
The second and third steps become difficult to accomplish without
the ability to successfully complete the first step.
#(like they'd list thier legitimate contact info in WHOIS anyway)....
The dismal state of whois accuracy (for domains) is well known, and has
been confirmed by things like the recent ICANN whois accuracy study
(still open for public comments, BTW, through April 15th, see
If you'd like to see stronger verification of domain whois point of
contact information, I would urge you to express that comment to ICANN
during the comment period.
With respect to *IP* whois point of contact validity, given the adoption
by ARIN of 2008-7 ( https://www.arin.net/policy/proposals/2008_7.html )
one might hope that the quality and validity of ARIN IP whois point of
contact data might improve over time, however the results listed at
https://www.arin.net/resources/request/whois_cleanup.html (an effort
listed as "complete" on that page) aren't very encouraging:
29,929 point of contact confirmation notices sent
1,854 bounced messages
1,192 responses received
That is, 1,192/29,929*100=3.9% of all points of contact have been
validated at this point.
That leaves a substantial volume of IP whois point of contact addresses
in an uncertain/unknown status, addresses which are unlikely to be
reliably usable for critical operational notifications or other
As IPv4 exhaustion increases the value of number assets, I hope
additional organizational attention can be devoted to insuring that
more than 3.9% of IP whois point of contact data is correct/usable.
Joe St Sauver, Ph.D.
Disclaimer: the opinions express do not necessarily reflect the opinion
of any other organization or entity.
More information about the ARIN-PPML